twitter facebook rss

IoT Hacking: Surviving an Online World

Posted by on October 13, 2015.

Today has, if my email is anything to go by, been a good day to panic. Dying seems to be next on the agenda. And it’s barely afternoon yet.

Following the claims by the FBI (according to the Independent) earlier this year that Chris Roberts caused a Boeing airliner to change course by hacking into the entertainment system, the director of the European Aviation Safety Agency apparently told journalists that ACARS (Aircraft Communications Addressing and Reporting System) could be used to hack into an aircraft’s critical systems ‘from the ground’. The Daily Caller tells us that a Michigan Congressperson told a subcommittee of the House Homeland Security Committee that cyberattacks against US seaports ‘could “allow the release of harmful and dangerous chemicals” in heavily populated urban areas’. (Harmful and dangerous? Wow, twice as scary…)

But my favourite story of the day (so far) comes from The Register, where I read that Alejandro Hernández told Brucon that:

If you can sniff brain data in the wire, you can do replay attacks [such as] if there is no security mechanism between an operator and a drone [or by] tampering with EEG data so it is not the same that was recorded by the electrodes.

What can I say? When Team Cymru told us recently How Scammers Abuse Our Brains, I don’t think they meant ‘the ability to steal, manipulate, and replay brain waves used in electroencephalography (EEG)’.

Well, Hernández seems to have made at least one fair point: the time to think about securing EEG-related security is while the technology is evolving, not when vulnerable devices are already scattered about the healthcare universe, and certainly before we get too used to the idea of brainwaves used as authentication. Just as the time to think about securing other medical devices was before remotely controlling pacemakers and insulin pumps became a staple of security conferences and TV dramas.

However, a lot of the panic-inducing commentary I’ve seen recently has been along the lines of “if bad people could somehow smuggle X into Y they could cause Z’. And such assertions may be right (or might turn out to be a Furby fiasco), but a hypothesis is not the same as a proven vulnerability. The trouble is, there are a lot of organizations (politicians, security agencies, and yes, vendors, though not all members of these categories thrive on hypeing threats) who benefit from inspiring FUD (Fear, Uncertainty, Doubt). On the other hand, I can think of many groups who might want to read your mind as one step in a process of psychological manipulation.

And on that somewhat ambivalent note I might have left it, except that an old blues-y thing (one of several known as Cocaine Blues) I’ve been thinking about in the last few days seems custom-made for some topical refurbishing.

I won’t go to Heathrow, I ain’t insane
Blackhat hackers might hack my plane
Whoa-oa, Stuxnet all over again

I won’t fly or go by sea
Sea port hackers aiming gas at me
Whoa-oa, Sarin all over the world

Hey doc won’t you please come quick
Bugs in my pacemaker making me sick
Trojans all round my brain

Made for my keyboard on the lope
The man from the newsdesk said ‘no more hope’
Whoa-oa, hackers all round my brain

Looked in my mirror and what do I see
Somebody’s government has tabs on me
Whoa-oa, agents all round my brain

Hey nurse won’t you please come quick
EEG says I’m really sick
Paranoia all round my brain

Ain’t going shopping, that ain’t my speed
Amazon will tell me anything I need
Whoa-oa, Facebook all around my brain

Hm. I think that might find it’s way into my off-piste repertoire. 🙂

David Harley

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley, Expert Views | Tags: , , ,